TL;DR: On June 16, 2026, Symantec disclosed that DragonForce ransomware operators are hiding command-and-control traffic inside Microsoft Teams TURN relay infrastructure using a custom Go-based backdoor called Backdoor.Turn. Per Bleeping Computer's coverage, the malware obtains an anonymous Teams visitor token, sets up a connection through a legitimate Microsoft TURN relay, and then runs a QUIC session to the attacker's real C2 - so network defenders see only "outbound to Microsoft" and the SOC sees no suspicious domain. For NC SMBs running Microsoft 365 Business Premium - which is nearly all of them - the trust signal "the connection is to Microsoft" no longer means "the connection is safe."
Key takeaway: DragonForce did not break Microsoft Teams. They abused a protocol Teams already uses every day. The detection answer is not "block Teams" - it is "stop trusting Microsoft-fronted egress and start correlating endpoint, identity, and network signals."
Worried that your SOC or MSP would miss this on your network? Preferred Data Corporation runs managed detection and response (MDR) for NC SMBs, including identity-correlated network monitoring and DragonForce-class behavior detection. Call (336) 886-3282 or request a ransomware readiness review.
What is Backdoor.Turn and how does it abuse Microsoft Teams?
Backdoor.Turn is a custom Go-based backdoor that DragonForce affiliates deployed against a major US services company in early June 2026, per Symantec's June 16, 2026 writeup and The Hacker News coverage. The relay-abuse flow is:
- Backdoor.Turn requests an anonymous Microsoft Teams visitor token from Skype-backed identity services.
- It uses the token to register against a legitimate Microsoft TURN (Traversal Using Relays around NAT) relay.
- It opens a QUIC tunnel through that TURN relay to the attacker's actual C2 server.
- To a perimeter firewall or SIEM, the traffic looks like ordinary Microsoft Teams telemetry.
The TURN protocol itself is what Teams uses when a peer-to-peer connection cannot be established directly between clients - it's how Teams calls work behind strict NAT. Per Help Net Security's reporting, the attacker did not need to compromise Microsoft, plant a malicious Teams add-in, or even authenticate as a real user; they only needed the anonymous visitor token endpoint, which is publicly available so guests can join meetings.
What can Backdoor.Turn actually do once it's inside?
Per Symantec's capability summary, the malware supports:
- Arbitrary command execution.
- Process creation.
- Internal network scanning.
- TLS certificate capture (useful for HTTPS interception inside the network).
- LDAP and Active Directory enumeration.
- Lateral movement via stolen credentials.
- Browser credential theft.
These are the same capabilities Symantec and CrowdStrike have associated with the Scattered Spider / "Octo Tempest" cluster, which DragonForce has been publicly linked to. The cartel-style structure of DragonForce - documented by SecurityWeek - means the same Backdoor.Turn technique is now available to multiple affiliates targeting US business networks.
Why is this specifically dangerous for NC SMBs running Microsoft 365?
Because three industry-standard assumptions break at once:
| Common SMB Assumption | What DragonForce Breaks |
|---|---|
Egress to *.microsoft.com and *.teams.microsoft.com is allowlisted as safe | Backdoor.Turn rides those exact destinations |
| "We have Microsoft Defender for Business, we're covered" | Defender does not flag legitimate Teams TURN traffic |
| Perimeter logs are enough for ransomware detection | The relevant signal is process-on-endpoint, not network destination |
Per Verizon's 2026 DBIR, ransomware accounts for 88% of SMB breach incidents. Per BlackFog's State of Ransomware 2026, 2026 attacks are increasingly characterized by "living off trusted services" - using Cloudflare Workers, GitHub Pages, Notion, and now Microsoft Teams as C2 fronts. The SMB defense that worked in 2022 (block weird domains, watch for known C2 IPs) does not detect this.
What is the actual blast radius of a DragonForce intrusion at a 50-person NC SMB?
A full domain takeover within days, in most observed cases. Per Symantec and SC Media, the post-intrusion path typically runs:
- Backdoor.Turn drops on a single endpoint (often via help-desk social engineering or a phished MFA token).
- The backdoor enumerates Active Directory and identifies privileged accounts.
- Stolen credentials are reused for lateral movement to file shares and the hypervisor.
- The hypervisor and backup servers are encrypted or deleted.
- DragonForce posts the stolen data to its leak site and triggers extortion.
Per BlackFog's 2026 data, 96% of ransomware attacks target backup locations and ransomware deploys within 7 days of initial access in 54% of incidents. For a 50-person NC SMB without 24x7 monitoring, the realistic dwell time is "long enough."
Quotable definition: Living-off-trusted-services (LOTS) is the 2026 ransomware tactic of moving command-and-control traffic onto known-good third-party platforms - Microsoft Teams, Cloudflare Workers, GitHub Pages, Notion - so the connection looks like normal business and survives perimeter blocklists. DragonForce's Backdoor.Turn is the current archetype.
How does an NC SMB detect Backdoor.Turn when the network signal looks like Teams?
By correlating four sources, not one. PDC scopes the MDR baseline as:
- Endpoint process telemetry - Unusual child processes spawned by
Teams.exe,notepad.exe, or unknown Go binaries callingSTUN/TURNlibraries. - DNS and SNI logging - Anonymous Teams visitor-token traffic from machines that are not signed-in Teams clients.
- Identity logs (Entra ID) - Skype-backed token grants without a corresponding interactive sign-in.
- Internal traffic - LDAP and SMB enumeration from a workstation that did not previously make those calls.
No one of those four is a smoking gun. All four together are. Per Microsoft's living-off-trusted-services guidance and CISA's joint advisories on Scattered Spider activity, endpoint+identity correlation is now the recommended SMB detection model.
What is the right 14-day containment plan after a DragonForce-class alert?
A two-week playbook PDC executes inside the managed cybersecurity service:
| Day | Action | Outcome |
|---|---|---|
| 0 | Isolate suspected endpoint, capture memory image, suspend identity (Entra disable) | Backdoor.Turn process pinned for forensics |
| 1 | Rotate all privileged credentials, revoke active sessions, force re-MFA | Stolen tokens become useless before lateral move |
| 2-3 | Hunt across remaining endpoints for the same process, child-spawn pattern, and anonymous TURN tokens | Persistence on second hosts identified |
| 4-7 | Validate backup integrity, restore from clean snapshot if needed, rebuild compromised endpoints | Encryption deadline beaten |
| 8-14 | Post-incident report, regulator notification (if applicable), insurance documentation, control upgrades | Audit-ready packet completed |
Key takeaway: A 50-person NC SMB cannot run this playbook with one IT person. The realistic option is a managed detection-and-response retainer that already has the on-call hours and the EDR/identity tooling pre-wired before the alert fires.
What controls should NC SMBs add this quarter even without a confirmed alert?
Three controls land high signal quickly and are typically inside SMB budget:
- EDR coverage on every endpoint - including remote workers, plant-floor PCs, and macOS. Without endpoint visibility, the TURN-relay abuse is invisible.
- Identity-aware monitoring - alert on any Skype/Teams visitor-token issuance from a non-Teams device or hour, anomalous AD enumeration, and stale-account use.
- Immutable backups - separated credentials, separated identity plane, regular restore tests. Per Verizon's 2026 DBIR, backup compromise is the single biggest extortion lever in 2026.
These are the same three controls cyber insurers increasingly require at 2026 renewal, per the Velocity cybersecurity insurance 2026 review.
How does Preferred Data Corporation help NC SMBs catch DragonForce-class attacks?
PDC supports NC small businesses, manufacturers, and distributors with the three controls above as a single managed service:
- Managed cybersecurity with 24x7 SOC monitoring, EDR coverage across Windows, macOS, and Linux, and identity-correlation playbooks built around Entra ID and Active Directory.
- Managed IT services with immutable backup design, patch management, and identity hygiene (MFA enforcement, conditional access, credential vault rollout).
- Incident response retainer that pre-positions PDC for the 14-day playbook above - so the clock does not start when the lawyer is found, but when the first alert fires.
PDC has served NC small businesses for over 37 years with on-site coverage within 200 miles of High Point. The combination of local NC presence, 20+ year average client retention, and modern MDR/identity-correlation tooling is what gets a DragonForce-class detection-and-response capability deployed and verified in weeks, not months.
Ready to test whether your stack would catch Backdoor.Turn? Call (336) 886-3282 or request a ransomware tabletop with PDC.
Frequently Asked Questions
What is Backdoor.Turn in one sentence?
Backdoor.Turn is a Go-based custom backdoor used by DragonForce ransomware affiliates that hides its command-and-control traffic inside Microsoft Teams TURN relay infrastructure, per Symantec's June 16, 2026 disclosure. The traffic appears as legitimate Microsoft Teams telemetry to perimeter defenses.
Is Microsoft Teams itself vulnerable or compromised?
No. Per Help Net Security's reporting, the attacker abuses the publicly available anonymous-visitor-token endpoint that Teams uses to let guests join meetings without an account. Teams continues to function normally; the abuse happens at the protocol level, not at the application level.
Can my existing firewall block this?
Not reliably. The traffic egresses to legitimate Microsoft TURN relays on standard ports. Per Symantec, the durable detection signal is process-on-endpoint behavior and identity anomaly, not network destination. SMBs that rely only on perimeter blocklists will miss this attack class.
How is DragonForce different from regular ransomware?
DragonForce operates as a cartel-style ransomware-as-a-service, allowing affiliates to operate under the DragonForce brand with custom tooling, per SecurityWeek. The group has been publicly linked to the Scattered Spider / Octo Tempest cluster, which is known for help-desk social engineering and cloud-app data theft before encryption.
What does managed detection and response (MDR) cost for a 50-person NC SMB?
For a 50-person SMB, expect $60-$150 per endpoint per month for an MDR + EDR + identity-correlation bundle, with a separately scoped $5K-$15K incident-response retainer. PDC bundles these inside the managed cybersecurity service for predictable per-seat pricing and pre-positions the IR retainer at signing so the clock does not restart during an incident.
Related Resources
- Managed Cybersecurity Services for NC Businesses - 24x7 SOC, MDR, identity correlation
- Managed IT Services for NC Businesses - Backup design, identity hygiene, patch management
- Tycoon 2FA Takedown: NC SMB Phishing-Proof MFA Plan - Identity attack defense
- NightSpire Ransomware Hits Manufacturers - Companion ransomware post
- Veeam CVE-2026-44963: NC SMB Backup RCE Defense Plan - Backup integrity defense
- Contact Preferred Data Corporation - Schedule a ransomware tabletop